Solved

How to remove the Happili "virus"

Posted on 2012-04-05
31
1,416 Views
Last Modified: 2013-11-22
Hi there,

Over the past few days my google searches have started to be directed to the Happili website.  I was concerned that this was a virus, but see no mention of it by the various anti-virus providers, not have multiple scans fixed the issue.

One post I did see suggested that it was not a virus, but had changed the proxy settings in my web browser.  

Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

Indeed, my Firefox browser did have a proxy selected.

My question is...Does anyone know if Happili really is a virus?  How can I be sure I am safe?

Thanks!
0
Comment
Question by:billelev
  • 15
  • 12
  • 2
  • +1
31 Comments
 
LVL 6

Expert Comment

by:jacobstewart
ID: 37813016
Download DDS here http://download.bleepingcomputer.com/sUBs/dds.scr

Double click the dds icon to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt <--- will be minimized in the task tray
Save both reports to your desktop.
Include the contents of both logs in your next post.
0
 

Author Comment

by:billelev
ID: 37813120
Thanks, jacobstewart.  Files attached.
Attach.txt
DDS.txt
0
 
LVL 8

Expert Comment

by:Tymetwister
ID: 37814370
You said you have tried multiple scans, but with which software? When something changes the proxy settings so that it doesn't connect, most times it's some type of malware. Try running a program such as Malwarebytes (again not sure which programs you've run) and also go into your Control Panel Add/Remove Programs or Uninstall programs and uninstall any suspicious programs. Finally please run msconfig from the run line, choose selective startup, and disable any startup items that look suspicious, as well as under the services tab when you disable all microsoft services. Hope this helps.
0
 

Author Comment

by:billelev
ID: 37816099
Yes, I had already run Malwarebytes, McAfee and 2 or 3 other similar virus scanners (Anvisoft, Norton etc.).  I re-ran Malwarebytes and nothing came up again.  Nothing looked suspicious under msconfig (although that is obviously subjective).
0
 
LVL 8

Expert Comment

by:Tymetwister
ID: 37816841
Anything suspicious in the control panel under installed programs?
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37817281
You should follow the directions here and post your results.

Main rule of thumb is to kill any rogue processes that the rootkit has run after installing and kill the rootkit that is installed.
0
 

Author Comment

by:billelev
ID: 37817323
no, nothing suspicious
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37817356
Nothing suspicious as in you have visually inspected or as in I have scanned my machine and nothing has came up?
0
 

Author Comment

by:billelev
ID: 37817384
Nothing suspicious as in I have visually inspected AND I have scanned my machine and nothing has came up.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37817445
Interesting. Is this on a business or home Environment? This redirect is associated with TDSS Rootkit. Under every case scenario, UAC was disabled. In your case from one of the report files listed from DSS. You have UAC disabled.

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

Open in new window

Your DHCP server looks fine for what is listed. It looks like you have more of a older hijack trick. Specific with tricks used by TDL3 Rootkit. Download Gooredfix and see if that does removes the redirect from your browser. After this is run attempt your first test with firefox and see if it gets redirected and also please post the logs it outputs.
0
 

Author Comment

by:billelev
ID: 37817826
Hi...I ran this earlier in the week and it didn't solve the problem, nor this time unfortunately (I just experienced a redirect).

I've attached the log file.
GooredFix.txt
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
ID: 37817892
Ok, This is stealthed already... We definitely have a rootkit installed here. Have you taken precautions and made backup already? Have windows cd ready in case of failure and/or damages caused from this rootkit? If not I would backup all files and make sure you have installation backup. Since you are running on x86. Please download  GMER Antirootkit. When unzipped, check all check boxes except "IAT/EAT", run this scan, save the scan to file and post the log file here.

Next step is to see if the rootkit is actually hiding the injected file in the temp directory. For this you need to
goto %AppData%\..\Local\Temp and check for executables/DLL's in this directory.  

We are looking for files that mainly look like this.
 %AppData%\..\Local\Temp\ <6-7 letter&numbers>.tmp\<5-7 letters&numbers>.dll

Open in new window

0
 

Author Comment

by:billelev
ID: 37819110
Ah..That does not sound good.  If I make an installation backup, will that also copy the bad files also?
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37819441
Honestly, its better to have a backup that has malware then nothing at all to work with. The trouble with removing malware like these rootkits get very difficult as they modify critical files in the system. As soon as you remove it things like internet connection, blue screens, etc happen. It's a cause and effect. Don't want to see your system damaged further by this malware and have no point of recovery.

Infact, W7 allows you to backup your files and also make a recovery disk as well as a repair disk. Usually it's the first thing you should do when you buy your computer is to make sure the software aspect is protected in a stored backup disk. Can't be touched by malware that way and clear sense of relief for the owner as well.
0
 
LVL 6

Expert Comment

by:jacobstewart
ID: 37822146
Has combo fix been tried?  Can we get a hijack this log as well.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:billelev
ID: 37823391
Here is the rootkit malware scan file.
Rootkit-Malware-Scan.log
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37824393
Wow! That is a lot hooks!  Can you turn off McAfee's products and anvi as well. Redo the scan. I need to be sure it's not the antivirus software hooking explorer and firefox.
0
 

Author Comment

by:billelev
ID: 37825056
I am re-running the GMER scan.  While that takes place, I have attached the log of Combo Fix.
log.txt
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37825836
Well its confirmed. This is a new way to hide malware going around. Before I get the results of GMER w/o antivirus/antimalware software running in the background. I will continue to check a few items.

Can you confirm that all 3 browsers are being redirected? If not which ones are not?

If firefox is being redirected. Uninstall Mozilla Firefox, Google Chrome, and delete these folders to cleanup. Everything in these folders must go.

%APPDATA%\mozilla
%LOCALAPPDATA%\mozilla
%programfiles%\Mozilla Firefox

%APPDATA%\Google
%LOCALAPPDATA%\Google

After this is accomplished, re-install Firefox, Chrome, and test to see if your still receiving redirects to Happili.
0
 

Author Comment

by:billelev
ID: 37827508
Here's the GMER Rootkit (without anti-virus running). The scan confirmed that some rootkit had been detected.

I will work on the your suggestions above now.
GMER-Rootkit-Malware-Scan.log
0
 

Author Comment

by:billelev
ID: 37827528
Firefox is definitely being redirected still (now to infomash.org).  I tested Chrome, and it didn't look like it was being redirected, but I use Firefox as my browser, so I have a bigger sample set).  I will remove both, the re-install.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37829151
Ok, This one is very persistent. Lets go for a reinstall of one of your antimalware products. Boot into safemode w/ networking and reinstall anvi, scan with aswmbr(Good reports of detection). Re-scan with anvi and look in these areas for these items, then re-test for redirection after you have rebooted.

Folders/Directory locations:
%AllUsersProfile%\<random>
%AllUsersProfile%\<random>\*.lnk

Open in new window

Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce <random>
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <random>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run <random>.exe
HKEY_CURRENT_USER\Software\<random>

Open in new window


Also add these to your hosts file.
Mapbird.info
Infomash.org
Happili.com
gimmeanswers.org/com

Open in new window

0
 

Author Comment

by:billelev
ID: 37834961
Here is the aswmbr log file after a safe mode scan.  I ran this without installing anvi as I didn't want it to interfere...I will not download anvi and run the scan.
aswMBR.txt
0
 

Author Comment

by:billelev
ID: 37835130
Okay, here's the aswMBR scan after running the Anvi scan again.

These all looked fine:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce <random>
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <random>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run <random>.exe

HKEY_CURRENT_USER\Software\<random> had a few random entries

Analog Devices > IFShare and SMax4PNP
AppDataLow
Clients > StartMenuInternet
Mozilla > Firefox > Extensions > C:\Users\<USER>\AppData\Local\{05159B29-79E7-11E1-826D-B8AC6F996F26}\
Redemption . .
Wget
Xenocode


I also modified the hosts file.

I should also mention that yesterday I did a complete reinstall of Firefox.  I've not been redirected since, but I guess that is no guarantee that the issue has been fixed.
aswMBR---after-Anvi-Scan.txt
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37835410
Well, It sounds like it was part of the residual files left over from the infection. Most likely either overlay.xul, search plugins, or extensions. Seen a few variations. Do you log outbound traffic from a router? I would keep a eye out on its traffic and watch for incoming/outgoing connections just to be safe for about a week.

As far as the aswMBR log goes it looks fine. It did not detect any MBR modifications. As long as your not receiving redirects on the other browsers you should be good.
0
 

Author Comment

by:billelev
ID: 37835419
okay, thanks.  I will give it a week or so before I close this just in case anything comes up.

Should I remove the following registry entry, or just leave?

Mozilla > Firefox > Extensions > C:\Users\<USER>\AppData\Local\{05159B29-79E7-11E1-826D-B8AC6F996F26}\
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37841566
Is that one empty or does that contain wget, redemption, etc?
0
 

Author Comment

by:billelev
ID: 37842430
All it contains is

Value Name: {05159B29-79E7-11E1-826D-B8AC6F996F26}

Value Data: C:\Users\<user>\AppData\Local\{05159B29-79E7-11E1-826D-B8AC6F996F26}\
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37843795
Go ahead and delete it then. It's a orphaned folder.
0
 

Author Comment

by:billelev
ID: 37843803
It's been over 24 hours and no re-directs.  Fingers crossed!
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37845459
Sounds good so far.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now